An unauthenticated attacker can execute malicious scripts in the context of a user's browser session via a Cross-Site Scripting (XSS) vulnerability in the Ofisimo Web Package Flora software.

This is an Improper Neutralization of Input During Web Page Generation (XSS) vulnerability. It specifically allows for the injection of malicious payloads through HTTP headers, which are then improperly rendered by the application, likely affecting unauthenticated users interacting with the web interface.

A successful XSS attack can lead to the theft of session cookies, account takeover, and the defacement of the web application. With a CVSS score of 7.6, this High severity flaw poses a direct threat to user data integrity and can be used as a stepping stone for more complex attacks against the organization's web infrastructure.

Immediate Action: Apply the security updates provided by Ofisimo for the Web Package Flora platform to implement proper input validation and output encoding.

Proactive Monitoring: Monitor web server logs for suspicious HTTP headers containing script tags (e.g., <script>) or unusual encoded characters.

Compensating Controls: Implement a robust Content Security Policy (CSP) to restrict the sources from which scripts can be executed and use a WAF to filter malicious HTTP header input.

Public Exploit Available: false

The severity of this XSS vulnerability requires immediate remediation to protect end-users. Organizations using Ofisimo Flora should verify their patch levels and ensure that all web-facing components are correctly configured to sanitize all forms of input, including headers.